Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
3
Replies

IOS Router with Multiple VPN Groups

Go to solution
thiland
Level 3
Level 3

‎09-22-2004 12:32 PM

Similar to a discussion I read with a PIX firewall, I need to setup multiple VPN groups on an IOS-based router to support different levels of security. For example, a VPN group "GUESTS" would only have access to 1 server, whereas VPN group "ADMIN" would have access to the whole network.

With a PIX firewall, you can just specify additional group names (e.g. "vpngroup group1", "vpngroup group2", and so on). However, I have not been able to find how to do it with an IOS-based router (Cisco 831 running 12.3(4)T).

For example, I have these dynamic VPN groups:

crypto isakmp client configuration group GUESTS

key password1

dns 10.1.1.1

pool IP-POOL1

crypto isakmp client configuration group ADMIN

key password2

dns 10.1.1.1

pool IP-POOL2

!--- The users get authenticated to a RADIUS server

crypto map CRYPTOMAP client authentication list VPN-USER

!--- The problem is with this line below. I can only specify one authorization list (one group name) for this crypto map!)

crypto map CRYPTOMAP isakmp authorization list ADMIN

I have researched on this site, Google, usenet, and CCO and haven't found what I'm looking for. Any ideas?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-22-2004 05:30 PM

The "isakmp authorization list" command you reference does not reference the VPN group, it references a AAA authorization list name which specifies that the groups are locally configured. Change it to the following:

aaa authorization network groupauthor local

crypto map CRYPTOMAP isakmp authorization list groupauthor

The "groupauthor" is just a label that matches the crypto command to the aaa command. Your VPN clients will then be matched to a specific group dependent on what group name they have configured in their VPN client.

See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml for details, this is a 3002 HW client to a router, but the router config is exactly the same.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-22-2004 05:30 PM

The "isakmp authorization list" command you reference does not reference the VPN group, it references a AAA authorization list name which specifies that the groups are locally configured. Change it to the following:

aaa authorization network groupauthor local

crypto map CRYPTOMAP isakmp authorization list groupauthor

The "groupauthor" is just a label that matches the crypto command to the aaa command. Your VPN clients will then be matched to a specific group dependent on what group name they have configured in their VPN client.

See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml for details, this is a 3002 HW client to a router, but the router config is exactly the same.

0 Helpful

Go to solution
thiland
Level 3
Level 3
In response to gfullage

‎09-23-2004 10:23 AM

Ah I see. I was under the impression that the AAA list name, crypto map list name, and group name all had to be identical.

I'll try this out today and let you know.

Thanks --

0 Helpful

Go to solution
thiland
Level 3
Level 3
In response to thiland

‎09-30-2004 08:23 AM

Tried this out yesterday using a generic name for the AAA list name and 2 dynamic VPN groups (each group getting assigned to a different IP Pool) and it worked as advertised.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents